or adopt a hybrid approach. According to Stephan
Somogyi, security and privacy product manager at
Google Inc., “no company can do everything well.”
For many companies, he recommends hiring external contractors so that the companies can “focus on
their core competencies while taking advantage of
the scale and skills of those that specialize in information security.” 17

3. Build security awareness. Effective security
awareness training is essential. Raising cybersecurity
awareness is critical, and every part of the organization should become familiar with cybersecurity best
practices. All employees who have access to confidential information, whether they are in sales,
marketing, human resources, finance, or senior
management — even temporary staff — should
receive cybersecurity awareness training.

Companies should encourage behaviors and
processes that integrate information security into
daily routines, and they should be sure to explain
why it’s important. Some companies are approaching cybersecurity training in ways that are similar
to training for ethics and regulatory compliance. A
few, such as Salesforce.com, are attempting to improve security-related behavior with gamification
programs. According to Patrick Heim, the company’s chief trust officer, employees who participated
in its security-related gamification program “were
50% less likely to click on a phishing link and 82%
more likely to report a phishing email.” 18

4. Create alliances. Recent data breaches show
that skillful hackers can replicate successful attacks.
Once hackers identify one security threat and exploit it, oftentimes they reuse the methodology to
attack another target. Given this possibility, it’s important for IT security staff to coordinate and share
information within their organization, within their
industry, and even with their competitors. Thus, it’s
important to create alliances with other companies
and with government agencies.

The private and public sectors need to come together to address the cybersecurity challenge. The
North Atlantic Treaty Organization (NATO) has
called on members to build alliances to combat
cybercrime. 19 By joining together, private businesses will be able to develop more comprehensive
cybersecurity strategies more economically.

5. Keep abreast of and follow best practices.
Many recent data breaches show that security policies are meaningless unless companies have a
rigorous, continual way of monitoring compliance. Cybersecurity threats are constantly shifting
as new security vulnerabilities are identified and
new types of malware are created. Sometimes,
even older threats that were thought to be under
control rear their heads with a vengeance. The
only way to confront modern cybersecurity
threats is to keep defensive processes up to date,
continually train personnel, stay current on the state
of information security, and use control-enabled
tools to proactively detect, analyze, and respond
to incidents.

Although hackers are always looking for new
ways to break in, organizations are also getting better all the time at “knowing their enemies.” Some go
so far as to invite hackers to identify vulnerabilities.
In March 2016, for example, the U.S. Department
of Defense launched a four-week bug bounty program in which participants were asked to use their
hacking skills to break into selected U.S. Department of Defense public web pages in exchange for
prizes and recognition. More than 250 participants
submitted at least one vulnerability report, and
more than half of the vulnerabilities were “
legitimate, unique, and eligible for a bounty,” said
then-Secretary of Defense Ashton B. Carter. 20
(Mission-facing systems were not included in the
program.) Other organizations, including MIT,
also use bug bounties21 along with more traditional
approaches to cybersecurity.

It’s important to create alliances with other companies andwith government agencies. The private and public sectorsneed to come together to address the cybersecurity challenge.